All Products
Search
Document Center

PrivateLink:What is PrivateLink?

Last Updated:Aug 14, 2024

PrivateLink is a service used to establish private, stable, and secure connections between Virtual Private Cloud (VPC) and other Alibaba Cloud services. PrivateLink simplifies network architectures and prevents risks that arise from service access over the Internet.

Introduction

PrivateLink allows mutual service access between Alibaba Cloud VPCs based on their connections. You can use PrivateLink to allow a VPC to access cloud services in another VPC without the need to create Internet egresses such as NAT gateways and Elastic IP Address (EIP). PrivateLink provides high data security and network quality because data is not transmitted over the Internet.

image

Scenarios

PrivateLink allows you to establish private, stable, and secure connections between endpoint services and VPCs in which endpoints are deployed. PrivateLink facilitates network configurations and meets the requirements of various scenarios.

Share cloud services with another VPC

Share cloud services across VPCs

You can use PrivateLink to enable a VPC to access the Server Load Balancer (SLB) instances that serve as service resources in another VPC.

In the following figure, if you want VPC 1 to access the SLB instance in VPC 2 by using PrivateLink, you must specify the SLB instance as the service resource of the endpoint service in VPC 2, create an endpoint in VPC 1, and then connect the endpoint to the endpoint service in VPC 2.

image

Access Alibaba Cloud services by using PrivateLink

You can use PrivateLink to implement secure access to Alibaba Cloud services.

In the following figure, if you want the VPC to access OSS by using PrivateLink, you must specify OSS as the endpoint service, create an endpoint in the VPC, configure an endpoint policy, and then connect the endpoint to the endpoint service.OSS

image

Share cloud services in a VPC with a data center

You can use PrivateLink to enable a data center to access the SLB instances that serve as service resources in a VPC.

In the following figure, if you want the data center to access the SLB instance in VPC 2, you must share the SLB instance with VPC 1 by using PrivateLink, and connect VPC 1 with the data center by using an Express Connect circuit or a VPN gateway.

image

Terms

Before you use PrivateLink, make sure that you understand the terms that are described in the following table.

image

Term

Description

endpoint

You can connect an endpoint to an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.

endpoint elastic network interface (ENI)

Endpoint ENIs serve as ingresses for endpoints to access endpoint services.

endpoint security group

Security groups can control the traffic between VPCs and endpoint ENIs. Each endpoint must be added to at least one security group. After an endpoint is added to a security group, all ENIs of the endpoint are associated with the security group.

endpoint service

After you create an endpoint service in a VPC, you can use an endpoint that is deployed in another VPC to access the endpoint service. Endpoint services are created and managed by service providers.

service resource

You can use endpoints to access the service resources of endpoint services.

Note
  • You can specify SLB instances as service resources, including Classic Load Balancer (CLB), Application Load Balancer (ALB), and Network Load Balancer (NLB) instances.

  • You can specify Alibaba Cloud services as service resources.

service whitelist

The service whitelist of an endpoint service is used to manage users who are allowed to access the service resources.

After an endpoint service is created, the ID of the Alibaba Cloud account of the service owner is automatically added to the service whitelist. Users whose account IDs are in the whitelist can query the endpoint service and use endpoints to connect to the endpoint service. If you want to allow a VPC that belongs to another Alibaba Cloud account to access the endpoint service, you must add the ID of the Alibaba Cloud account to the service whitelist.

endpoint connection

You can establish an endpoint connection between an endpoint and an endpoint service.

Components

The following table lists the components of the service consumer and service provider.PrivateLink

Entity

Component

Service consumer

  • Endpoint

  • Endpoint zone and ENI

  • Endpoint security group

Service provider

  • Endpoint service

  • Service resource

  • Service whitelist

  • Endpoint connection

You are not charged when you activate PrivateLink. After you activate PrivateLink, you are charged on a pay-as-you-go basis. Bills are generated on an hourly basis. You are charged instance fees and data transfer fees. For more information, see Billing.

The service consumer and service provider can use different Alibaba Cloud accounts. You can specify whether the service consumer or service provider to pay the bills.PrivateLink For more information, see the Payments section of the Billing topic.

Benefits

  • Low risks

    When you access endpoint services by using PrivateLink, requests are forwarded within Alibaba Cloud internal networks. This prevents risks that arise from service access over the Internet.

  • Independent network

    The networks of the service provider and service consumer are independent of each other, which enhances network reliability.

  • Security and controllability

    • When you use PrivateLink to access cloud services, you can add rules to the security group of the ENI that is used to access the services. This ensures higher security and fine-grained management.

    • When you use PrivateLink to access cloud services, you can configure endpoint policies to implement source authentication. This makes access manageable and more secure.

  • Low latency and high quality

    When you use PrivateLink to access cloud services, requests are forwarded within the same zone. This greatly reduces the network latency.

  • Simplified management

    PrivateLink allows you to access cloud services that are deployed in another VPC within the same account, or cloud services that belong to another account. This simplifies route and security configurations.

  • Real-time monitoring and analysis

    The flow log feature is used to record the inbound and outbound traffic over endpoint ENIs. This ensures the transparency and controllability of network communication.

Differences between PrivateLink connections and VPC peering connections

Category

PrivateLink connection

VPC peering connection

Accessed resources

Only the service resources such as SLB instances of endpoint services can be accessed.

All resources in VPCs can be accessed.

Communication direction

One-way communication. Only VPCs where endpoints are deployed can access the resources of endpoint services.

Two-way communication between two VPCs that establish a peering connection.

CIDR overlap

In a PrivateLink connection, the CIDR blocks of the two VPCs can overlap with each other without affecting each other.

In a VPC peering connection, the CIDR blocks of the two VPCs cannot overlap with each other.

Route configuration

The system automatically configures routes for the two VPCs that establish a PrivateLink connection. You do not need to manually configure routes.

You need to manually add routes to the route tables of the two VPCs in a VPC peering connection to manage traffic. The custom routes point to the peer VPCs.

Access PrivateLink

You can access and manage PrivateLink in the following ways by using an Alibaba Cloud account:

  • VPC console: a web console that supports interactive operations. The VPC console allows you to access services in a VPC from another VPC.

  • Alibaba Cloud SDKs: support multiple programming languages, such as Java, Go, PHP, Python, C#, and C++.

  • OpenAPI Explorer: allows you to retrieve and call API operations, and dynamically generates SDK sample code.

References

  • For information about the default quotas for PrivateLink endpoints and endpoint services, instructions for quota adjustments, and limits for IP versions, protocols, and backend service types, see Limits.

  • For information about the regions and zones that support PrivateLink, see Regions and zones that support PrivateLink.